If MyBroadband is alerted to an online data leak, where sensitive data of South Africans is available online, how long should we wait until we publish an article about it?
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
Surely then it's a journalist's duty to expose unethical decisions?I think you should give the company concerned at least time to secure the leaky system and take down (if possible - probably not) the leaked data before opening the floodgates.
Publication should be a last resort to force the company to do something about it if they seem unwilling.
I have uncovered security issues in some ISPs' systems before, and have somehow managed NOT to run to the press in order to get it rectified. Whether those companies choose to inform their clients is, I believe, their ethical call.
In the recent case, I believe MyBB was used to attempt to discredit a company, and you guys need to be VERY aware of this kind of thing. You could cause more harm than good.
Absolutely. But, as I was not a client of the ISPs concerned I am not able to verify whether in fact they did inform potentially impacted customers.Surely then it's a journalist's duty to expose unethical decisions?
Shouldn't companies have contingency plans already in place for when, not if, data leaks?
MickeyD has a good point. Perhaps there needs to be some kind of standard procedure where companies can subscribe to a closed mailing list where this kind of data loss is disclosed - confidentiality a provision of membership etc...?
Keep in mind the leaked information is in most likelihood immediately available to the sort of people you really don't want to have it. Someone posted the data to mybb, haveibeenpwned.com, and who knows where else. Clients need to be made aware of this asap, not when the company involved deems fit.
For sure. But is the media the right channel? Since suddenly a lot more people would have access to it... Temptation and all that?
How else do you disseminate the info quickly and as broadly. I'm sure the readership of mybb news exceeds the forum by a long shot.
What about the immediate harm that befalls the client? Is that superseded by the desires of the company involved?Whichever media outlet receives the "tip off" also needs to determine whether the leak is of a malicious nature, i.e. there is a suspicion of direct intent to harm the company involved.
What about the immediate harm that befalls the client? Is that superseded by the desires of the company involved?
I'm sure we both know people… friends, family, etc… who recycle passwords no matter what we tell them.Clients should also take due care with their online details. Not victim-blaming here, but people should really take a good lesson away from this. Unique passwords per service!
If it is a malicious attack then by the time that the hackers have tipped off the media (eg. mybb) they have already made those details available to the dark side. The hacked company has the easiest task; mitigate the risk and protect their customers from further harm (reset passwords, plug the leak, etc). It's the other companies involved that need to be informed to determine the impact of the leak on them and their customers (who are also customers of the hacked company).What about the immediate harm that befalls the client? Is that superseded by the desires of the company involved?
If it is a malicious attack then by the time that the hackers have tipped off the media (eg. mybb) they have already made those details available to the dark side. The hacked company has the easiest task; mitigate the risk and protect their customers from further harm (reset passwords, plug the leak, etc). It's the other companies involved that need to be informed to determine the impact of the leak on them and their customers (who are also customer of the hacked company).